Some of the Lincoln Lab work that I was involved in back around 1998 got brought up again on
Bugtraq. I finally felt compelled to post there again.
For brevity I made a much shorter post, but here's the full rambling text before I managed to edit it down a bit.
Context: The discussion was how to categorize attacks. Historically the industry has used the words "local" to definte an attack that gets someone super-user privileges when they are a normal user on the system, and "remote" allows someone who merely has network access to the machine to gain actual permissions on it.
Crispin Cowan wrote:
> I participated in that Lincoln Labs study, and my recollection is
> that the remote/local distinction was already popular on bugtraq at
> the time.
I was working on that project, and Dr. Cowan's recollection matches
mine. Talks of "local" and "remote" were already in use somewhat on
Bugtraq, although I don't think they had yet become universal. (I'd
like to claim that the Lincoln studies helped push use of those terms
along, but the concepts are so simple and elegant that their universal
use was inevitable.)
One of the mental models involved in those 1998 classifications of
attacks was a "presence" of an attacker -- is the attacker outside
your network, on your network, or on your machine as a non-privileged
user? This model doesn't necessarily fit in well with some of today's
most common attacks, as was mentioned when this thread started.
It's not that trojan horses (whether you interpret that to mean just
hostile applications, or hostile data run by vulnerable applications)
weren't known about in 1998. It's that those attacks weren't
considered all that important when compared to things that were more
common at the time -- smurf attacks, pings of death, Sendmail buffer
overflows, SYN queue starvation.
I've seen a lot of classification schemes proposed on Bugtraq in the
intervening years, some of them quite good. (Search the archives for
"taxonomy" or "classification".) But unless they are -very- simple to
use, they won't be taken up by the community. If you can come up with
a single word that imputes the concept of "malicious data that I can
easily get onto the victim's machine and in front of the victim's
eyes but requires him to run it," that would be a great step forward.
Simplicity is key. (Unlike this posting, which I did not have time
to make shorter and simpler.)
But a foolish consistency is the hobgoblin of taxonomies. How do
phishing attacks fit in with that 1998 taxonomy? I could suppose
it's called local-to-root, but a better response would be to a) come
up with a better taxonomy, or b) accept that every possible "attack"
in the world may not fit into a given taxonomy. It seems the CVE
folks have just accepted that exact fits aren't going to happen
and are living with a bit of imprecisenss.
Trying to come up with a perfect taxonomy will drive you insane,
especially as you are dealing with the classification of the
actions of very creative humans.
And on the subject of compound attacks, there was also some work
coming out of Rome Labs at about the same time that was doing some
formalizing the chaining of, say, remote-to-local with local-to-root
attacks to make a remote-to-root attack.